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Foreword 


The  Federal  Information  Processing  Standards  Publication  Series  of  the  National  Bureau  of 
Standards  is  the  official  publication  relating  to  standards  adopted  and  promulgated  under 
the  provisions  of  Public  Law  89-306  (Brooks  Act)  and  under  Part  6  of  Title  15,  Code  of 
Federal  Regulations.  These  legislative  and  executive  mandates  have  given  the  Secretary  of 
Commerce  important  responsibilities  for  improving  the  utilization  and  management  of 
computers  and  automatic  data  processing  in  the  Federal  Government.  To  carry  out  the 
Secretary's  responsibilities,  the  NBS,  through  its  Institute  for  Computer  Sciences  and 
Technology,  provides  leadership,  technical  guidance  and  coordination  of  Government  efforts 
in  the  development  of  guidelines  and  standards  in  these  areas. 

Comments  concerning  Federal  Information  Processing  Standards  Publications  are  welcomed  and 
should  be  addressed  to  the  Director,  Institute  for  Computer  Sciences  and  Technology, 
National  Bureau  of  Standards,  Washington,  DC  20234. 


James  H.  Burrows,  Director 
Institute  for  Computer  Sciences 
and  Technology 


Abstract 


The  Federal  Data  Encryption  Standard  (DES)  (FIPS  46)  specifies  a  cryptographic  algorithm  to 
be  used  for  the  cryptographic  protection  of  sensitive,  but  unclassified,  computer  data. 
This  FIPS  defines  four  modes  of  operation  for  the  DES  which  may  be  used  in  a  wide  variety 
of  applications.  The  modes  specify  how  data  will  be  encrypted  (cryptographically  protect¬ 
ed)  and  decrypted  (returned  to  original  form) .  The  modes  included  in  this  standard  are  the 
Electronic  Codebook  (ECB)  mode,  the  Cipher  Block  Chaining  (CBC)  mode,  the  Cipher  Feedback 
(CFB)  mode,  and  the  Output  Feedback  (OFB)  mode. 
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Federal  Information  Processing  Standards  Publications  are  issued  by  the  National  Bureau  of 
Standards  pursuant  to  the  Federal  Property  and  Administrative  Services  Act  of  1949,  as 
amended,  Public  Law  89-306  (79  Stat.  1127),  Executive  Order  11717  (38  FR  12315,  dated  May 
11,  1973),  and  Part  6  of  Title  15  Code  of  Federal  Regulations  (CFR). 

1.  Name  of  Standard.  DES  Modes  of  Operation. 

2.  Category  of  Standard.  ADP  Operations,  computer  security. 

3.  Explanation.  The  Federal  Data  Encryption  Standard  (DES)  (FIPS  46)  specifies  a  crypto¬ 
graphic  algorithm  to  be  used  for  the  cryptographic  protection  of  sensitive,  but  unclassi¬ 
fied,  computer  data.  This  FIPS  defines  four  modes  of  operation  for  the  DES  which  may  be 
used  in  a  wide  variety  of  applications.  The  modes  specify  how  data  will  be  encrypted 
(cryptographically  protected)  and  decrypted  (returned  to  original  form).  The  modes  in¬ 
cluded  in  this  standard  are  the  Electronic  Codebook  (ECB)  mode,  the  Cipher  Block  Chaining 
(CBC)  mode,  the  Cipher  Feedback  (CFB)  mode,  and  the  Output  Feedback  (OFB)  mode. 


The  body  of  this  standard  provides  specifications  of  the  recommended  modes  of  operation  but 
does  not  specify  the  necessary  and  sufficient  conditions  for  their  secure  implementation  in 
a  particular  application.  This  standard  specifies  the  numbering  of  data  bits,  how  the  bits 
are  encrypted  and  decrypted,  and  the  data  paths  and  the  data  processing  necessary  for 
encrypting  and  decrypting  data  or  messages.  This  standard  is  based  on  (and  references)  the 
DES  and  provides  the  next  level  of  detail  necessary  for  providing  compatibility  among  DES 
equipment.  This  standard  anticipates  the  development  of  a  set  of  application  standards 
which  reference  it  such  as  communication  security  standards,  data  storage  standards,  pass¬ 
word  protection  standards  and  key  management  standards.  Cryptographic  system  designers  or 
security  application  designers  must  select  one  or  more  of  the  possible  modes  of  operation 
for  implementing  and  using  the  DES  in  a  cryptographic  system  or  security  application.  The 
Appendices  to  this  standard  provide  tutorial  information  on  the  modes  of  operation  and 
examples  for  validating  their  correct  implementation.  The  Appendices  are  guidelines  and 
are  not  mandatory  requirements  of  this  standard. 

4.  Approving  Authority.  Secretary  of  Commerce. 

5.  Maintenance  Agency.  U.S.  Department  of  Commerce,  National  Bureau  of  Standards,  Insti¬ 
tute  for  Computer  Sciences  and  Technology. 

6 .  Related  Documents . 

FIPS  PUB  46,  "Data  Encryption  Standard,"  January  15,  1977. 

(Proposed)  Federal  Standard  1026,  "Telecommunications:  Interoperability  Requirements  for 

Use  of  the  Data  Encryption  Standard,"  May  20,  1980,  draft. 


(Proposed)  Federal  Standard  1027,  "Telecommunications:  Security  Requirements  for  Use  of 

the  Data  Encryption  Standard,"  August  5,  1980,  draft. 
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A  list  of  currently  approved  FIPS  may  be  obtained  from  the  Standards  Administration  Office, 
Institute  for  Computer  Sciences  and  Technology,  National  Bureau  of  Standards,  Washington, 
DC  20234. 

7.  Applicability.  This  standard  shall  be  used  by  Federal  departments  and  agencies  when 
procuring  equipment  or  services  which  implement  the  Data  Encryption  Standard  and  which  are 
intended  for  use  in  the  cryptographic  protection  of  sensitive,  but  unclassified,  computer 
data.  This  standard  may  be  used  by  anyone  desiring  to  implement  and  use  the  Data 
Encryption  Standard.  The  selection  of  one  of  the  specified  modes  of  operation  will  depend 
on  the  particular  application  being  considered. 

8.  Specifications.  Federal  Information  Processing  Standard  (FIPS  81)  DES  Modes  of  Opera¬ 
tion  (affixed). 

9.  Qualifications.  The  DES  modes  of  operation  described  in  this  standard  are  based  upon 
information  provided  by  many  sources  within  the  Federal  Government  and  private  industry. 
These  modes  are  presently  being  implemented  in  cryptographic  equipment  containing  DES 
devices.  However,  a  standard  of  this  nature  must,  of  necessity,  remain  flexible  enough  to 
adapt  to  advancements  and  innovations  in  science  and  technology.  As  such,  this  standard 
should  not  be  construed  as  being  either  exhaustive  or  static.  It  will  be  reviewed  every 
five  years  in  order  to  incorporate  new  implementations  whose  technical  or  economic  merit 
justify  the  issuance  of  a  revised  standard.  FIPS  46  requires  implementation  of  the  DES 
algorithm  in  electronic  devices  when  used  by  Federal  departments  and  agencies.  The  DES, 
itself,  must  therefore  be  in  hardware  or  firmware  for  Federal  applications.  However,  the 
modes  of  operation  specified  in  this  standard  may  be  implemented  in  software,  hardware,  or 
firmware. 

10.  Export  Control.  Cryptographic  devices  and  technical  data  regarding  them  are  subject 
to  Federal  Government  export  controls  as  specified  in  Title  22,  Code  of  Federal 
Regulations,  Parts  121  through  128.  Cryptographic  devices  implementing  this  standard  and 
technical  data  regarding  them  must  comply  with  these  Federal  regulations. 

11.  Patents.  Cryptographic  equipment  implementing  this  standard  may  be  covered  by  U.S. 
and  foreign  patents. 

12.  Implementation  Schedule.  This  standard  becomes  effective  on  June  2,  1981. 

13.  Waivers.  Heads  of  agencies  may  request  that  the  requirements  of  this  standard  be 
waived  in  instances  where  it  can  be  clearly  demonstrated  that  there  are  appreciable  perfor¬ 
mance  or  cost  advantages  to  be  gained  and  when  the  overall  interests  of  the  Federal  Govern¬ 
ment  are  best  served  by  granting  the  requested  waiver.  Such  waiver  requests  will  be 
reviewed  by  and  are  subject  to  the  approval  of  the  Secretary  of  Commerce.  The  waiver 
request  must  specify  anticipated  performance  and  cost  advantages  in  the  justification  for 
the  waiver. 

Forty-five  days  should  be  allowed  for  review  and  response  by  the  Secretary  of  Commerce. 
Waiver  requests  shall  be  submitted  to  the  Secretary  of  Commerce,  Washington,  DC  20230,  and 
labeled  as  a  Request  for  a  Waiver  to  this  Federal  Information  Processing  Standard.  No 
agency  shall  take  any  action  to  deviate  from  this  standard  prior  to  the  receipt  of  a  waiver 
approval  from  the  Secretary  of  Commerce.  No  agency  shall  implement  or  procure  equipment 
using  a  DES  mode  of  operation  not  conforming  to  this  standard  unless  a  waiver  has  been 
approved . 

14.  Where  to  Obtain  Copies.  Copies  of  this  publication  are  for  sale  by  the  National 
Technical  Information  Service,  U.S.  Department  of  Commerce,  Springfield,  VA  22161.  When 
ordering,  refer  to  Federal  Information  Processing  Standards  Publication  81  (FIPS  PUB  81), 
and  title.  When  microfiche  is  desired,  this  should  be  specified.  Payment  may  be  made  by 
check,  money  order,  or  deposit  account. 
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1.  Introduction.  Binary  data  may  be  cryptographically  protected  (encrypted)  using  devices 
implementing  the  algorithm  specified  in  the  Data  Encryption  Standard  (DES)  (FIPS  PUB  46)  in 
conjunction  with  a  cryptographic  key.  The  cryptographic  key  controls  the  encryption  pro¬ 
cess  and  the  identical  key  must  also  be  used  in  the  decryption  process  to  obtain  the 
original  data.  Since  the  DES  is  publicly  defined,  cryptographic  security  depends  on  the 
secrecy  of  the  cryptographic  key. 

The  binary  format  of  a  cryptographic  key  is: 

(B1 ,B2, . . . ,B7,P1 ,B8, . . . ,B14,P2,B15, . . . ,B49,P7 ,B50 , . . . ,B56,P8) 

where  {B1 ,B2 , . . . ,B56}  are  the  independent  bits  of  a  DES  key  and  {PI  ,P2 , . . . ,P8}  are  reserved 
for  parity  bits  computed  on  the  preceding  seven  independent  bits  and  set  so  that  the  parity 
of  the  octet  is  odd,  i.e.,  there  is  an  odd  number  of  "1"  bits  in  the  octet. 

The  hexadecimal  format  of  a  cryptographic  key  is: 

(H1H2  H3H4  ...  H15H16) 

where  {HI ,H2 , . . . ,H16}  are  hexadecimal  characters  from  the  set  {0 , 1 , . . . ,9 ,A,B ,C ,D,E ,F} .  The 
embedded  blanks  in  the  format  are  optional  and  lower  case  letters  may  be  used  in  place  of 
the  upper  case  letters.  This  standard  assumes  that  a  cryptographic  key  has  been  entered 
into  a  DES  device  prior  to  encryption  or  decryption. 

1.1  Definitions,  Abbreviations,  and  Conventions.  The  following  definitions,  abbreviations 
and  conventions  shall  be  used  throughout  this  standard: 

BIT:  A  binary  digit  denoted  as  a  "0"  or  a  "1." 

BINARY  VECTOR:  A  sequence  of  bits. 

BLOCK:  A  binary  vector  consisting  of  sixty-four  bits  numbered  from  the  left  as  1,  2,  ..., 

64  and  denoted  as  (B1  ,B2 , . . . ,B64) . 

CBC:  Cipher  Block  Chaining. 

CFB:  Cipher  Feedback. 

CIPHER  TEXT:  Encrypted  data. 

CRYPTOGRAPHIC  KEY:  A  64-bit  parameter  consisting  of  56  independent  bits  and  8  parity  bits 

used  in  a  DES  device  to  control  the  encrypt  and  decrypt  operations. 

(Synonyms:  KEY,  KEY  VARIABLE). 

DATA  UNIT:  A  binary  vector  of  K  bits  that  is  encrypted  as  an  entity  and  denoted  as 

(D1 ,D2 , . . . ,DK)  where  K  =  1,2,.. .,64  and  where  Dl,D2,...,DK  represent  bits. 

DECRYPTION:  The  process  of  changing  cipher  text  into  plain  text. 

Verb:  DECRYPT. 

(Synonym:  DECIPHER). 

DECRYPT  STATE:  The  state  of  a  DES  device  executing  the  deciphering  operation  specified  in 

FIPS  PUB  46. 

DES:  Data  Encryption  Standard;  specified  in  FIPS  PUB  46. 

DES  DEVICE:  The  electronic  component  used  to  implement  the  DES  algorithm,  typically  an 

integrated  circuit  chip  or  a  micro-computer  with  the  DES  algorithm  specified  in  a  read-only 
memory  program. 

DES  INPUT  BLOCK:  A  block  that  is  entered  into  the  DES  device  for  either  encryption  or 
decryption.  The  input  block  shall  be  designated  (II  ,12 , . . .  ,164)  where  II , 12 , . . . , 164  repre¬ 
sent  bits. 
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DES  OUTPUT  BLOCK:  A  block  that  is  the  final  result  of  an  encryption  or  decryption  opera¬ 
tion  of  a  DES  device.  The  output  block  shall  be  designated  (01 ,02 , . . . ,064)  where 
01 ,02 , . . . ,064  represent  bits. 

ECB:  Electronic  Codebook. 

ENCRYPTION:  The  process  of  changing  plain  text  into  cipher  text. 

Verb:  ENCRYPT. 

(Synonym:  ENCIPHER). 

ENCRYPT  STATE:  The  state  of  a  DES  device  executing  the  enciphering  operation  specified  in 

FIPS  PUB  46. 

EXCLUSIVE-0R  OPERATION:  The  bit-by-bit  modulo-2  addition  of  two  binary  vectors  of  equal 

length.  This  operation  is  represented  by  a  in  this  standard. 

INITIALIZATION  VECTOR  (IV):  A  binary  vector  used  in  the  initial  input  block  in  the  CFB  and 
0FB  modes  and  as  the  randomizing  block  that  is  exclusive-ORed  with  the  first  data  block  in 
the  CBC  mode. 

LEAST  SIGNIFICANT  BIT(S):  The  right-most  bit(s)  of  a  binary  vector. 

(Synonym:  Low  order  bit(s)). 

MESSAGE  (MSG):  A  logical  data  entity  consisting  of  a  sequence  of  data  units  (e.g.,  bits, 

octets,  characters,  fixed  length  numbers)  that  is  encrypted  as  an  entity. 

MOST  SIGNIFICANT  BIT(S):  The  left-most  bit(s)  of  a  binary  vector. 

(Synonym:  High  order  bit(s)). 

OCTET:  A  group  of  eight  binary  digits  numbered  from  left  to  right:  B1 ,B2 , . . . ,B8 . 

0FB:  Output  Feedback. 

PLAIN  TEXT:  Unencrypted  data. 

2.  Electronic  Codebook  (ECB)  Mode.  The  Electronic  Codebook  (ECB)  mode  is  defined  as 
follows  (Figure  1).  In  ECB  encryption,  a  plain  text  data  block  (D1 ,D2 , . . . ,D64)  is  used 
directly  as  the  DES  input  block  (II  ,12 , . .  .  ,164) .  The  input  block  is  processed  through  a 
DES  device  in  the  encrypt  state.  The  resultant  output  block  (01 ,02 , . . . ,064)  is  used 
directly  as  cipher  text  (Cl  ,C2 , . . . ,C64 )  or  may  be  used  in  subsequent  ADP  applications. 

In  ECB  decryption,  a  cipher  text  block  (Cl ,C2 , . . . ,C64)  is  used  directly  as  the  DES  input 
block  (II ,12, . . . ,164) .  The  input  block  is  then  processed  through  a  DES  device  in  the 
decrypt  state.  The  resultant  output  block  (01 ,02 , . . . ,064)  is  the  plain  text 
(Dl ,D2 , . . . ,D64)  or  may  be  used  in  subsequent  ADP  applications.  The  ECB  decryption  process 
is  the  same  as  the  ECB  encryption  process  except  that  the  decrypt  state  of  the  DES  device 
is  used  rather  than  the  encrypt  state. 


3.  Cipher  Block  Chaining  (CBC)  Mode.  The  Cipher  Block  Chaining  (CBC)  mode  is  defined  as 
follows  (Figure  2).  A  message  to  be  encrypted  is  divided  into  blocks.  In  CBC  encryption, 
the  first  DES  input  block  is  formed  by  exclusive-ORing  the  first  block  of  a  message  with  a 
64-bit  initialization  vector  (IV),  i.e.,  (II , 12 , . . . , 164 )  =  (IV1€>D1 ,IV2#D2 , . . . ,IV64<frD64) . 
The  input  block  is  processed  through  a  DES  device  in  the  encrypt  state,  and  the  resulting 
output  block  is  used  as  the  cipher  text,  i.e.,  (Cl  ,C2 , . . .  ,C64 )  =  (01 ,02 , . . . ,064) .  This 
first  cipher  text  block  is  then  exclusive-ORed  with  the  second  plain  text  data  block  to 
produce  the  second  DES  input  block,  i.e.,  (II  ,12  , . . . ,164)  =  (C16H)1 ,C2M)2 , . . . ,C64®D64) . 
Note  that  I  and  D  now  refer  to  the  second  block.  The  second  input  block  is  processed 
through  the  DES  device  in  the  encrypt  state  to  produce  the  second  cipher  text  block.  This 
encryption  process  continues  to  "chain"  successive  cipher  and  plain  text  blocks  together 
until  the  last  plain  text  block  in  the  message  is  encrypted.  If  the  message  does  not 
consist  of  an  integral  number  of  data  blocks,  then  the  final  partial  data  block  should  be 
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FIGURE  1:  ELECTRONIC  CODEBOOK  (ECB)  MODE 
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FIGURE  2:  CIPHER  BLOCK  CHAINING  (CBC)  MODE 
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encrypted  in  a  manner  specified  for  the  application.  One  such  method  is  described  in 
Appendix  C  of  this  standard. 

In  CBC  decryption,  the  first  cipher  text  block  of  an  encrypted  message  is  used  as  the  input 
block  and  is  processed  through  a  DES  device  in  the  decrypt  state,  i.e.,  (II ,12 , . . .  ,164)  = 
(Cl  ,C2 , . . .  ,C64) .  The  resulting  output  block,  which  equals  the  original  input  block  to  the 
DES  during  encryption,  is  exclusive-ORed  with  the  IV  (must  be  same  as  that  used  during 
encryption)  to  produce  the  first  plain  text  block,  i.e.,  (D1 ,D2 , . . . ,D64 ) 

(01€>IV1 ,02#IV2 , . . . ,064#IV64) .  The  second  cipher  text  block  is  then  used  as  the  input  block 
and  is  processed  through  the  DES  in  the  decrypt  state  and  the  resulting  output  block  is 
exclusive-ORed  with  the  first  cipher  text  block  to  produce  the  second  plain  text  data 
block,  i.e.,  (D1  ,D2  , . . .  ,D64)  =  (0H&C1 ,02<ftC2 , . . . ,  064<&C64  )  .  Note  that  again  the  D  and  0 

refer  to  the  second  block.  The  CBC  decryption  process  continues  in  this  manner  until  the 
last  complete  cipher  text  block  has  been  decrypted.  Cipher  text  representing  a  partial 
data  block  must  be  decrypted  in  a  manner  as  specified  for  the  application. 


4.  Cipher  Feedback  (CFB)  Mode.  The  Cipher  Feedback  (CFB)  mode  is  defined  as  follows 
(Figure  3).  A  message  to  be  encrypted  is  divided  into  data  units  each  containing  K  bits  (K 
=  1,2,..., 64).  In  both  the  CFB  encrypt  and  decrypt  operations,  an  initialization  vector 
(IV)  of  length  L  is  used.  The  IV  is  placed  in  the  least  significant  bits  of  the  DES  input 
block  with  the- unused  bits  set  to  "0's,"  i.e.,  (II  ,12  , . .  .  ,164)  =  (0,0  , . . . ,0,IV1 ,IV2 , 
...,IVL).  This  input  block  is  processed  through  the  DES  device  in  the  encrypt  state  to 
produce  an  output  block.  During  encryption,  cipher  text  is  produced  by  exclusive-ORing  a 
K-bit  plain  text  data  unit  with  the  most  significant  K  bits  of  the  output  block,  i.e., 
(Cl ,C2 , . . . ,CK)  =  (DKDOl ,D2<B02 , . . . ,DK©0K) .  Similarly,  during  decryption,  plain  text  is  pro¬ 
duced  by  exclusive-ORing  a  K-bit  unit  of  cipher  text  with  the  most  significant  K  bits  of 
the  output  block,  i.e.,  (D1  ,D2  , . . .  ,DK)  =  (Cl<&01  ,C2<&02  , . . .  ,CK€>0K)  .  In  both  cases  the  unused 
bits  of  the  DES  output  block  are  discarded.  In  both  cases  the  next  input  block  is  created 
by  discarding  the  most  significant  K  bits  of  the  previous  input  block,  shifting  the  remai¬ 
ning  bits  K  positions  to  the  left  and  then  inserting  the  K  bits  of  cipher  text  just 
produced  in  the  encryption  operation  or  just  used  in  the  decrypt  operation  into  the  least 
significant  bit  positions,  i.e.,  (II ,12  , . . . ,164)  =  (I [K+l ] , I [K+2 ] , . . . , 164 ,C1 ,C2 , . . . ,CK) . 
This  input  block  is  then  processed  through  the  DES  device  in  the  encrypt  state  to  produce 
the  next  output  block.  This  process  continues  until  the  entire  plain  text  message  has  been 
encrypted  or  until  the  entire  cipher  text  message  has  been  decrypted. 

The  CFB  mode  may  operate  on  data  units  of  length  1  through  64  inclusive.  K-bit  CFB  is 
defined  to  be  the  CFB  mode  operating  on  data  units  of  length  K  for  K  =  1,2,. ..,64.  For 
each  operation  of  the  DES  device  one  K-bit  unit  of  plain  text  produces  one  K-bit  unit  of 
cipher  text  or  one  K-bit  unit  of  cipher  text  produces  one  K-bit  unit  of  plain  text. 

An  acceptable  alternative  for  8-bit  CFB  when  enciphering  7-bit  entities  using  an  8-bit 
feedback  path  is  to  insert  a  "1"  bit  in  bit  position  one  of  the  8-bit  feedback  path,  i.e., 
("1"  ,C1 ,C2  , . . .  ,C7) .  This  results  in  a  "1"  always  being  placed  in  bit  location  57  of  the 
DES  input  block.  This  alternative  is  called  the  7-bit  CFB(a)  mode  of  operation. 

5.  Output  Feedback  (OFB)  Mode.  The  Output  Feedback  (OFB)  mode  is  defined  as  follows 
(Figure  4).  A  message  to  be  encrypted  is  divided  into  data  units  each  containing  K  bits  (K 
=  1,2,..., 64).  In  both  the  OFB  encrypt  and  decrypt  operations,  an  initialization  vector 
(IV)  of  length  L  is  used.  The  IV  is  placed  in  the  least  significant  bits  of  the  DES  input 
block  with  the  unused  bits  set  to  "0's,"  i.e.,  (II  ,12 , . . .  ,164) 

(0,0  , . . .  ,0,IV1 ,IV2 , . . . ,IVL) .  This  input  block  is  processed  through  the  DES  device  in  the 
encrypt  state  to  produce  an  output  block.  During  encryption,  cipher  text  is  produced  by 
exclusive-ORing  a  K-bit  plain  text  data  unit  with  the  most  significant  K  bits  of  the  output 
block,  i.e.,  (Cl ,C2 , . . . ,CK)  =  (D11&01 ,D2®02 , . . . ,DK®0K) .  Similarly,  during  decryption,  plain 
text  is  produced  by  exclusive-ORing  a  K-bit  unit  of  cipher  text  with  the  most  significant  K 
bits  of  the  output  block,  i.e.,  (D1 ,D2 , . . . ,DK)  =  (Cl€>01 ,C2®02 , . . . ,CK#0K) .  In  both  cases 
the  unused  bits  of  the  DES  output  block  are  discarded.  In  both  cases  the  next  input  block 
is  created  by  discarding  the  most  significant  K  bits  of  the  previous  input  block,  shifting 
the  remaining  bits  K  positions  to  the  left  and  then  inserting  the  K  bits  of  output  just 
used  into  the  least  significant  bit  positions,  i.e.,  (II ,12 , . . . ,164)  = 
(I [K+l ] ,I[K+2] , . . . ,164 ,01 ,02 , . . . ,0K) .  This  input  block  is  then  processed  through  the  DES 
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FIGURE  3:  K  BIT  CIPHER  FEEDBACK  (CFB)  MODE 
ENCRYPTION  DECRYPTION 
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FIGURE  4:  K  BIT  OUTPUT  FEEDBACK  (OFB)  MODE 
ENCRYPTION  DECRYPTION 


IK  1  K 

INPUT  BLOCK  INITIALLY  CONTAINS  AN  INITIALIZATION  VECTOR  (IV)  RIGHT  JUSTIFIED. 


device  in  the  encrypt  state  to  produce  the  next  output  block.  This  process  continues  until 
the  entire  plain  text  message  has  been  encrypted  or  until  the  entire  cipher  text  message 
has  been  decrypted. 

The  OFB  mode  may  operate  on  data  units  of  length  1  through  64  inclusive.  K-bit  OFB  is 
defined  to  be  the  OFB  mode  operating  on  data  units  of  length  K  for  K  =  1,2,...  ,64.  For 
each  operation  of  the  DES  device  one  K-bit  unit  of  plain  text  produces  one  K-bit  unit  of 
cipher  text  or  one  K-bit  unit  of  cipher  text  produces  one  K-bit  unit  of  plain  text. 
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APPENDIX  A 

GENERAL  INFORMATION 

The  National  Bureau  of  Standards  issued  Federal  Information  Processing  Standards  Publica¬ 
tion  46  (FIPS  PUB  46)  in  1977.  That  standard  specifies  a  cryptographic  algorithm,  commonly 
called  the  Data  Encryption  Standard  (DES)  algorithm,  to  be  used  within  the  Federal  Govern¬ 
ment  for  the  cryptographic  protection  of  sensitive,  but  unclassified,  computer  data.  The 
DES  algorithm  was  developed  by  the  International  Business  Machines  Corporation  (IBM)  and 
submitted  to  the  National  Bureau  of  Standards  during  an  NBS  public  solicitation  for  crypto¬ 
graphic  algorithms  to  be  used  in  a  Federal  Information  Processing  Standard.  Several  meth¬ 
ods  for  incorporating  this  algorithm  into  a  cryptographic  system  are  possible.  These 
methods,  external  to  the  DES  algorithm,  have  come  to  be  called  the  "modes  of  operation." 
Four  modes,  called  the  Electronic  Codebook  (ECB)  mode,  the  Cipher  Block  Chaining  (CBC) 
mode,  the  Cipher  Feedback  (CFB)  mode,  and  the  Output  Feedback  (OFB)  mode,  are  specified  in 
this  standard.  ECB  is  a  direct  application  of  the  DES  algorithm  to  encrypt  and  decrypt 
data;  CBC  is  an  enhanced  mode  of  ECB  which  chains  together  blocks  of  cipher  text;  CFB  uses 
previously  generated  cipher  text  as  input  to  the  DES  to  generate  pseudo-random  outputs 
which  are  combined  with  the  plain  text  to  produce  cipher  text,  thereby  chaining  together 
the  resulting  cipher  text;  OFB  is  identical  to  CFB  except  that  the  previous  output  of  the 
DES  is  used  as  input  in  OFB  while  the  previous  cipher  text  is  used  as  input  in  CFB.  OFB 
does  not  chain  the  cipher  text.  The  proposed  FIPS  specifies  these  four  modes  because  they 
are  capable  of  providing  acceptable  levels  of  protection  for  all  anticipated  unclassified 
Federal  ADP  encryption  applications. 

Unencrypted  data  is  called  plain  text.  Encryption  (also  called  enciphering)  is  the  process 
of  transforming  plain  text  into  cipher  text.  Decryption  (also  called  deciphering)  is  the 
inverse  transformation.  The  encryption  and  decryption  processes  are  performed  according  to 
a  set  of  rules,  called  an  algorithm,  that  is  typically  based  on  a  parameter  called  a  key. 
The  key  is  usually  the  only  parameter  that  must  be  provided  to  or  by  the  users  of  a 
cryptographic  system  and  must  be  kept  secret.  The  period  of  time  over  which  a  particular 
key  is  used  to  encrypt  or  decrypt  data  is  called  its  cryptoperiod. 

Mathematically,  the  DES  maps  the  set  of  all  possible  64-bit  vectors  onto  itself.  See 
Figure  A1 .  There  are  2f64  (2  raised  to  the  64th  power)  elements  in  this  set,  including  all 
binary  numbers  from  0  up  to,  but  not  including,  2|64.  The  DES  cryptographic  key  allows  a 
user  to  select  any  one  of  2f56  possible  invertible  mappings,  i.e.,  transformations  that  are 
one-to-one.  Selecting  a  key  selects  one  of  the  mappings.  When  using  the  DES  in  ECB  mode 
and  any  particular  key,  each  input  is  mapped  onto  a  unique  output  in  encryption  and  this 
output  is  mapped  back  onto  the  input  in  decryption.  The  DES  is  an  iterative,  block, 
product  cipher  system  (i.e.,  encryption  algorithm).  A  product  cipher  system  mixes  transpo¬ 
sition  and  substitution  operations  in  an  alternating  manner.  Because  the  DES  algorithm 
maps  a  64-bit  input  block  onto  a  64-bit  output  block  the  DES  is  called  a  block  cipher 
system.  Iterative  refers  to  the  use  of  the  output  of  an  operation  as  the  input  for  another 
iteration  of  the  same  procedure.  The  DES  internally  uses  sixteen  iterations  of  a  pair  of 
transposition  and  substitution  operations  to  encrypt  or  decrypt  an  input  block.  A  complete 
specification  of  the  DES  algorithm  is  found  in  FIPS  PUB  46. 

Two  categories  of  methods  for  incorporating  the  DES  in  a  cryptographic  system  are  block 
methods  and  stream  methods.  In  a  block  method,  the  DES  input  block  is  (or  is  a  simple 
function  of)  the  plain  text  to  be  encrypted  and  the  DES  output  block  is  the  cipher  text.  A 
stream  method  is  based  on  generating  a  pseudo-random  binary  stream  of  bits,  and  then  using 
the  exclusive-OR  binary  operation  to  combine  this  pseudo-random  sequence  with  the  plain 
text  to  produce  the  cipher  text.  Since  the  exclusive-OR  operator  is  its  own  binary 
inverse,  the  same  pseudo-random  binary  stream  is  used  for  both  the  encryption  of  plain 
text,  P,  and  the  decryption  of  cipher  text,  C.  If  0  is  the  pseudo-random  binary  stream, 
then  C  =  P  0  and  inversely,  P  =  C  &  0. 
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FIGURE  A1:  DES  MAPPINGS 
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APPENDIX  B 


ELECTRONIC  CODEBOOK  (ECB)  MODE 

The  Electronic  Codebook  (ECB)  mode  is  a  basic,  block,  cryptographic  method  which  transforms 
64  bits  of  input  to  64  bits  of  output  as  specified  in  FIPS  PUB  46.  The  analogy  to  a 
codebook  arises  because  the  same  plain  text  block  always  produces  the  same  cipher  text 
block  for  a  given  cryptographic  key.  Thus  a  list  (or  codebook)  of  plain  text  blocks  and 
corresponding  cipher  text  blocks  theoretically  could  be  constructed  for  any  given  key.  In 
electronic  implementation  the  codebook  entries  are  calculated  each  time  for  the  plain  text 
to  be  encrypted  and,  inversely,  for  the  cipher  text  to  be  decrypted. 

Since  each  bit  of  an  ECB  output  block  is  a  complex  function  of  all  64  bits  of  the  input 
block  and  all  56  independent  (non-parity)  bits  of  the  cryptographic  key,  a  single  bit  error 
in  either  a  cipher  text  block  or  the  non-parity  key  bits  used  for  decryption  will  cause  the 
decrypted  plain  text  block  to  have  an  average  error  rate  of  fifty  percent.  However,  an 
error  in  one  ECB  cipher  text  block  will  not  affect  the  decryption  of  other  blocks,  i.e., 
there  is  no  error  extension  between  ECB  blocks. 

If  block  boundaries  are  lost  between  encryption  and  decryption  (e.g.,  a  bit  slip),  then 
synchronization  between  the  encryption  and  decryption  operations  will  be  lost  until  correct 
block  boundaries  are  reestablished.  The  results  of  all  decryption  operations  will  be 
incorrect  until  this  occurs. 

Since  the  ECB  mode  is  a  64-bit  block  cipher,  an  ECB  device  must  encrypt  data  in  integral 
multiples  of  sixty-four  bits.  If  a  user  has  less  than  sixty-four  bits  to  encrypt,  then  the 
least  significant  bits  of  the  unused  portion  of  the  input  data  block  must  be  padded,  e.g., 
filled  with  random  or  pseudo-random  bits,  prior  to  ECB  encryption.  The  corresponding 
decrypting  device  must  then  discard  these  padding  bits  after  decryption  of  the  cipher  text 
block. 

The  same  input  block  always  produces  the  same  output  block  under  a  fixed  key  in  ECB  mode. 
If  this  is  undesirable  in  a  particular  application,  the  CBC,  CFB  or  OFB  modes  should  be 
used.  An  example  of  the  ECB  mode  is  given  in  Table  Bl. 
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TABLE  B1 

AN  EXAMPLE  OF  THE  ELECTRONIC  CODEBOOK  (ECB)  MODE 
The  ECB  mode  in  the  encrypt  state  has  been  selected. 

Cryptographic  Key  =  01 23456789abcdef 

The  plain  text  is  the  ASCII  code  for  "Now  is  the  time  for  all  These  seven-bit 
ters  are  written  in  hexadecimal  notation  (0 ,b7 ,b6 , . . . ,bl ) . 


TIME 

PLAIN  TEXT 

DES  INPUT 

BLOCK 

DES  OUTPUT 

BLOCK 

CIPHER  TEXT 

1 

4e6f 772069732074 

4e6f 772069732074 

3fa40e8a984d4815 

3fa40e8a984d4815 

2 

68652074696d6520 

68652074696d6520 

6a271787ab8883f9 

6a27 1787ab8883f 9 

3 

666f 7220616c6c20 

666f7220616c6c20 

893d51ec4b563b53 

893d51ec4b563b53 

The  ECB  mode  in  the  decrypt  state  has  been  selected. 


TIME  CIPHER  TEXT 


DES  INPUT 
BLOCK 


DES  OUTPUT 
BLOCK 


PLAIN  TEXT 


1  3fa40e8a984d4815  3f a40e8a984d4815  4e6f 772069732074 

2  6a27 1787ab8883f 9  6a27 1787ab8883f 9  68652074696d6520 

3  893d51ec4b563b53  893d51ec4b563b53  666f 7220616c6c20 


4e6f 77 20697 3207 4 
68652074696d6520 
666f 7220616c6c20 


charac- 


13 


FIPS  PUB  81 


APPENDIX  C 


CIPHER  BLOCK  CHAINING  (CBC)  MODE 

CBC  is  a  block  cipher  system  in  which  the  first  plain  text  data  block  is  exclusive-ORed 
with  a  block  of  pseudo-random  data  prior  to  being  processed  through  the  DES.  The  resulting 
cipher  text  block  is  then  exclusive-ORed  with  the  next  plain  text  data  block  to  form  the 
next  input  block  to  the  DES,  thus  chaining  together  blocks  of  cipher  text.  The  chaining  of 
cipher  text  blocks  provides  an  error  extension  characteristic  which  is  valuable  in  protect¬ 
ing  against  fraudulent  data  alteration.  A  CBC  authentication  technique  is  described  in 
Appendix  F. 

The  CBC  mode  produces  the  same  cipher  text  whenever  the  same  plain  text  is  encrypted  using 
the  same  key  and  IV.  Users  who  are  concerned  about  this  characteristic  should  incorporate 
a  unique  identifier  (e.g.,  a  one-up  counter)  at  the  beginning  of  each  CBC  message  within  a 
cryptographic  period  in  order  to  insure  unique  cipher  text.  If  the  key  and  the  IV  are  the 
same  and  no  identifier  precedes  each  message,  messages  that  have  the  same  beginning  will 
have  the  same  cipher  text  when  encrypted  in  the  CBC  mode  until  the  blocks  that  differ  in 
the  two  messages  are  encrypted. 

Since  the  CBC  mode  is  a  block  method  of  encryption,  it  must  operate  on  64-bit  data  blocks. 
Partial  data  blocks  (blocks  of  less  than  64  bits)  require  special  handling.  One  method  of 
encrypting  a  final  partial  data  block  of  a  message  is  described  below.  Others  may  be 
defined  for  special  applications. 

The  following  method  may  be  used  for  applications  where  the  length  of  the  cipher  text  can 
be  greater  than  the  length  of  the  plain  text.  In  this  case  the  final  partial  data  block  of 
a  message  is  padded  in  the  least  significant  bits  positions  with  "0"s,  "l"s  or  pseudo¬ 
random  bits.  The  decryptor  will  have  to  know  when  and  to  what  extent  padding  has  occurred. 
This  can  be  accomplished  explicitly,  e.g.,  using  a  padding  indicator,  or  implicitly,  e.g., 
using  constant  length  transactions.  The  padding  indicator  will  depend  on  the  data  being 
encrypted.  If  the  data  is  pure  binary,  then  the  partial  data  block  should  be  left  justi¬ 
fied  in  the  input  block  and  the  unused  bits  of  the  block  set  to  the  complement  of  the  last 
data  bit,  i.e.,  if  the  last  data  bit  of  the  message  is  "0"  then  "l"s  are  used  as  padding 
bits  and  if  the  last  data  bit  is  "1"  then  "0"s  are  used.  The  input  block  is  then  encryp¬ 
ted.  The  resulting  output  block  is  the  cipher  text.  The  cipher  text  message  must  be 
marked  as  being  padded  so  that  the  decryptor  can  reverse  the  padding  process,  remove  the 
padding  bits  and  produce  the  original  plain  text.  The  decryptor  scans  the  decrypted  padded 
block  and  discards  the  least  significant  bits  that  are  all  identical.  If  the  data  consists 
of  bytes  (e.g.,  8-bit  ASCII  characters)  then  the  padding  indicator  should  be  a  character 
denoting  the  number  of  padding  bytes,  including  itself,  and  should  be  placed  in  the  least 
significant  byte  of  the  input  block  before  encrypting.  For  example  if  there  are  five  ASCII 
data  characters  in  the  final  partial  block  of  a  message  to  be  encrypted,  then  an  ASCII  "3" 
is  put  in  the  least  significant  byte  of  the  input  block  (any  pad  characters  may  be  used  in 
the  other  two  pad  positions)  before  encryption.  Again  the  cipher  text  message  must  be 
marked  as  being  padded. 

In  the  CBC  mode,  one  or  more  bit  errors  within  a  single  cipher  text  block  will  affect  the 
decryption  of  two  blocks  (the  block  in  which  the  error  occurs  and  the  succeeding  block). 
If  the  errors  occur  in  the  n-th  cipher  text  block,  then  each  bit  of  the  n-th  plain  text 
block  will  have  an  average  error  rate  of  fifty  percent.  The  (n+l)st  plain  text  block  will 
have  only  those  bits  in  error  which  correspond  directly  to  the  cipher  text  bits  in  error. 

Block  synchronization  between  encrypt  and  decrypt  operations  is  required  for  the  CBC  mode. 
If  bits  are  added  or  are  lost  in  a  cipher  text  block  so  that  block  boundaries  are  lost 
between  the  encryption  and  decryption  operations,  then  synchronization  is  lost.  However, 
cryptographic  synchronization  will  automatically  be  reestablished  64  bits  after  block 
boundaries  have  been  established.  This  property  is  known  as  self-synchronization. 

An  example  of  the  CBC  mode  is  given  in  Table  Cl . 
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TABLE  Cl 


AN  EXAMPLE  OF  THE  CIPHER  BLOCK  CHAINING  (CBC)  MODE 


The  CBC  mode  in  the  encrypt  state  has  been  selected. 

Cryptographic  Key  =  0123456789abcdef 
Initialization  Vector  =  1234567890abcdef 

The  plain  text  is  the  ASCII  code  for  "Now  is  the  time  for  all  These  seven-bit  charac¬ 
ters  are  written  in  hexadecimal  notation  (0,b7 ,b6  , . .  .bl ) . 


TIME  PLAIN  TEXT 


DES  OUTPUT 
BLOCK 


DES  INPUT 
BLOCK 


CIPHER  TEXT 


1  4e6f 772069732074  5c5b2158f 9d8ed9b  e5c7cdde872bf 27c  e5c7cdde872bf 27c 

2  68652074696d6520  8da2edaaee46975c  43e934008c389c0f  43e934008c389c0f 

3  666f 7220616c6c20  25864620ed54f02f  683788499a7c05f 6  683788499a7c05f 6 


The  CBC  mode  in  the  decrypt  state  has  been  selected. 


TIME  CIPHER  TEXT 


DES  INPUT 
BLOCK 


DES  OUTPUT 
BLOCK 


PLAIN  TEXT 


1  e5c7cdde872bf 27c  e5c7cdde872bf 27c  5c5b2158f 9d8ed9b  4e6f 772069732074 

2  43e934008c389c0f  43e934008c389c0f  8da2edaaee46975c  68652074696d6520 

3  683788499a7c05f 6  683788499a7c05f 6  25864620ed54f 02f  666f 7220616c6c20 
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APPENDIX  D 


CIPHER  FEEDBACK  (CFB )  MODE 

The  CFB  mode  is  a  stream  method  of  encryption  in  which  the  DES  is  used  to  generate 
pseudorandom  bits  which  are  exclusive-ORed  with  binary  plain  text  to  form  cipher  text. 

The  cipher  text  is  fed  back  to  form  the  next  DES  input  block.  Identical  messages  that 
are  encrypted  using  the  CFB  mode  and  different  IVs  will  have  different  cipher  texts. 

IVs  that  are  shorter  than  64  bits  should  be  put  in  the  least  significant  bits  of  the 
first  DES  input  block  and  the  unused,  most  significant,  bits  initialized  to  "0's." 

In  the  CFB  mode,  errors  in  any  K-bit  unit  of  cipher  text  will  affect  the  decryption  of 
the  garbled  cipher  text  and  also  the  decryption  of  succeeding  cipher  text  until  the  bits 
in  error  have  been  shifted  out  of  the  CFB  input  block.  The  first  affected  K-bit  unit  of 
plain  text  will  be  garbled  in  exactly  those  places  where  the  cipher  text  is  in  error. 
Succeeding  decrypted  plain  text  will  have  an  average  error  rate  of  fifty  percent  until 
all  errors  have  been  shifted  out  of  the  DES  input  block.  Assuming  no  additional  errors 
are  encountered  during  this  time,  the  correct  plain  text  will  then  be  obtained. 

If  K-bit  boundaries  are  lost  during  decryption,  then  cryptographic  synchronization  will 
be  lost  until  cryptographic  initialization  is  performed  or  until  64  bits  after  the  K-bit 
boundaries  have  been  reestablished. 

The  encryption  and  decryption  processes  in  the  CFB  mode  both  use  the  encrypt  state  of  the 
DES.  Examples  of  1,  8,  and  64-bit  CFB  mode  are  given  in  Tables  Dl,  D2,  and  D3,  respec¬ 
tively. 

The  7-bit  CFB  alternative  mode  is  defined  in  the  standard  in  order  to  encipher  and  deci¬ 
pher  7-bit  codes  and  still  use  an  8-bit  feedback  path.  Most  commercial  implementations 
of  the  DES  are  designed  to  efficiently  handle  8-bit  bytes  of  data  and  key.  Most  computer 
and  communication  systems  of  recent  architecture  are  also  designed  to  efficiently  handle 
full  8-bit  bytes.  However,  some  systems  use  the  most  significant  bit  as  a  parity  bit. 
These  systems  often  generate  the  parity  bit  during  transmission  and  check  its  validity 
during  reception.  In  such  systems  the  parity  bit  on  cipher  text  would  be  automatically 
modified  during  transmission.  In  this  case,  the  encryption  and  decryption  processes  must 
operate  independently  of  the  parity  bits  and  the  7-bit  CFB  (a)  mode  should  be  used.  If 
the  encryptor  and  the  decryptor  both  set  the  most  significant  bit  of  the  8-bit  cipher  byte 
to  be  a  "1"  bit  in  the  feedback,  the  systems  are  compatible.  Holding  no  more  than  eight 
bits  of  the  DES  input  constant  provides  an  acceptable  level  of  security  for  government 
applications. 

An  extension  of  this  technique  is  useful  in  applications  requiring  very  efficient  use  of 
the  DES  device.  If  several  7-bit  data  units  are  to  be  enciphered  simultaneously,  then  a 
"1"  bit  may  be  put  in  the  most  significant  bit  position  of  each  8-bit  byte  of  the  feedback 
path.  This  extension  of  the  7-bit  CFB  alternative  mode  should  be  called  the  K-bit  CFB  (a) 
for  K=  14,  21,  28,  35,  42,  49,  and  56  for  implementations  which  encipher,  respectively, 

2,  3,  4,  5,  6,  7,  and  7-bit  data  units  simultaneously.  These  alternatives  provide  an 
acceptable  level  of  security  for  government  applications. 

Examples  of  7  and  56-bit  CFB  (a)  mode  are  given  in  tables  D4  and  D5,  respectively. 
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TABLE  D1 

AN  EXAMPLE  OF  THE  1-BIT  CIPHER  FEEDBACK  (CFB)  MODE 


The  1-bit  CFB  mode  in  the  encrypt  state  has  been  selected. 

Cryptographic  Key  =  0123456789abcdef 
Initialization  Vector  =  1234567890abcdef 

The  plain  text  is  the  binary  vector  (010011100110111101110111).  The  DES  input  and  output 
blocks  are  written  in  hexadecimal  notation.  The  ©  represents  bit-by-bit,  modulo  2 
addition. 


TIME 

DES  INPUT  BLOCK 

DES  OUTPUT  BLOCK 

P 

© 

0 

= 

c 

1 

1234567890abcdef 

bd661569ae874e25 

0 

© 

1 

= 

1 

2 

2468acf 12 1579bdf 

48b3169clf ac7al0 

1 

© 

0 

= 

1 

3 

48dl59e242af 37bf 

0a0143394c9959f e 

0 

© 

0 

= 

0 

4 

91a2b3c4855e6f 7e 

6d52f 55fd8b027 1 1 

0 

© 

0 

= 

0 

5 

23456 7890abcdefc 

3a38debb3a2fa892 

1 

© 

0 

= 

1 

6 

468acf 12 1579bdf 9 

719b70bd3dce7acc 

1 

© 

0 

= 

1 

7 

8dl59e242af 37bf 3 

81809c230adc0d23 

1 

© 

1 

= 

0 

8 

Ia2b3c4855e6f7e6 

83d 14a 6da 6926604 

0 

© 

1 

= 

1 

9 

34567890abcdef cd 

311e9dc8d6d52d8a 

0 

© 

0 

= 

0 

10 

68acf 121 579bdf 9a 

db47c7f eb6f c4272 

1 

© 

1 

= 

0 

11 

dl59e242af 37bf 34 

b73850af a3b8ed89 

1 

© 

1 

= 

0 

12 

a2b3c4855e6f 7e68 

f5fbl9dd00590800 

0 

© 

1 

= 

1 

13 

4567890abcdef cdl 

Of 4351a9bbf f e5a5 

1 

© 

0 

= 

1 

14 

8acf 121579bdf 9a3 

769593c58e20d41b 

1 

© 

0 

= 

1 

15 

159e242af 37bf 347 

0e949d3f 3a293d64 

1 

© 

0 

= 

1 

16 

2b3c4855e6f7e68f 

921eb7ffeacd0db9 

1 

© 

1 

= 

0 

17 

567890abcdef cdle 

d2adl09c8895fb95 

0 

© 

1 

= 

1 

18 

acf 121579bdf 9a3d 

3c36317828a9bd04 

1 

© 

0 

= 

1 

19 

59e242af 37bf 347b 

e7248586e7e4ecac 

1 

© 

1 

= 

0 

20 

b3c4855e6f 7e68f 6 

f9a58el6a7597c5e 

1 

© 

1 

= 

0 

21 

67890abcdef cd lec 

e9 39 fdf 63d 177946 

0 

© 

1 

= 

1 

22 

cf 121579bdf 9a3d9 

f 325eac046bad58d 

1 

© 

1 

= 

0 

23 

9e242af 37bf 347b2 

8385a6d975f fdbba 

1 

© 

1 

= 

0 

24 

3c4855e6f7e68f64 

70a54baceae7ba6b 

1 

© 

0 

= 

1 
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TABLE  D2 

AN  EXAMPLE  OF  THE  8-BIT  CIPHER  FEEDBACK  ( CFB)  MODE 
The  8-bit  CFB  mode  in  the  encrypt  state  has  been  selected. 
Cryptographic  Key  =  0123456789abcdef 
Initialization  Vector  =  1234567890abcdef 


The  plain  text  is  the  ASCII  code  for  "Now  is  the."  These  seven-bit  characters  are  written 
in  hexadecimal  notation  (0 ,b7 ,b6 , . . .bl ) .  The  0  represents  bit-by-bit,  modulo  2  addition. 


TIME 

DES  INPUT  BLOCK 

DES  OUTPUT  BLOCK 

P 

0 

0 

= 

C 

1 

1 234567 890abcdef 

bd661569ae874e25 

4e 

0 

bd 

f3 

2 

34567890abcdef f 3 

7039546f 9a0f6330 

6f 

0 

70 

= 

If 

3 

567890abcdef f 31 f 

adlb78b0bb371be7 

77 

0 

ad 

= 

da 

4 

7890abcdef f 31fda 

2735  b01d5ca31f7 

20 

0 

27 

= 

07 

5 

90abcdef f 31fda07 

68863426e397685d 

69 

0 

68 

= 

01 

6 

abcdef f 31fda0701 

6798240e8c6b685f 

73 

0 

67 

= 

14 

7 

cdef f 31fda0701 14 

42  If eefb3f 8ca64f 

20 

0 

42 

= 

62 

8 

eff31fda07011462 

9al69a9b50666575 

74 

0 

9a 

= 

ee 

9 

f31fda07011462ee 

703bl799be9a5748 

68 

0 

70 

= 

18 

10 

lfda0701 1462eel8 

Ia4aeel95be70077 

65 

0 

la 

= 

7f 

CFB  mode  in  the 

decrypt  state  has 

been  selected. 

TIME 

DES  INPUT  BLOCK 

DES  OUTPUT  BLOCK 

C 

0 

O 

= 

P 

1 

1234567890abcdef 

bd661569ae874e25 

f  3 

0 

bd 

= 

4e 

2 

34567890abcdef f 3 

7039546f 9a0f 6330 

If 

0 

70 

= 

6f 

3 

567890abcdef f 31f 

adlb78b0bb371be7 

da 

0 

ad 

= 

77 

4 

7890abcdef f 31 f da 

27350b01d5ca31f 7 

07 

0 

27 

= 

20 

5 

90abcdef f 3  If da07 

68863426e397685d 

01 

0 

68 

= 

69 

6 

abcdef f 3  If da0701 

6798240e8c6b685f 

14 

0 

67 

= 

73 

7 

cdef f 31fda0701 14 

421feefb3f8ca64f 

62 

0 

42 

= 

20 

8 

ef f 31 f da0701 1462 

9al69a9b5066657  5 

ee 

0 

9a 

= 

74 

9 

f 31f da0701 1462ee 

703bl799be9a5748 

18 

0 

70 

= 

68 

10 

If da0701 1462eel8 

Ia4aeel95be70077 

7  f 

0 

la 

= 

65 
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TABLE  D3 

AN  EXAMPLE  OF  THE  64-BIT  CIPHER  FEEDBACK  (CFB)  MODE 


The  64-bit  CFB  mode  in  the  encrypt  state  has  been  selected. 


Cryptographic  Key  =  0123456789abcdef 
Initialization  Vector  =  1234567890abcdef 


The  plain  text  is  the  ASCII  code  for  "Now  is  the  time  for  all  These  seven-bit 

characters  are  written  in  hexadecimal  notation  (0 ,b7 , b6 , . . . ,bl ) . 


TIME 

PLAIN  TEXT 

DES  INPUT 

DES  OUTPUT 

BLOCK 

BLOCK 

CIPHER  TEXT 


1 

2 

3 


4e6f 7720697 32074 
68652074696d6520 
666f 7220616c6c20 


1234 567 890abcdef 
f 3096249c7f 46e51 
a69e839bla92f 784 


bd 661569 ae874e25 
cef ba3ef 73f f 92a4 
652903 13e8e2ca02 


f 3096249 c7f46e51 
a69e839bla92f 784 
03467133898ea622 


The  64-bit  CFB  mode  in  the  decrypt  state  has  been  selected. 


TIME  CIPHER  TEXT 


DES  INPUT 
BLOCK 


DES  OUTPUT 
BLOCK 


PLAIN  TEXT 


1  f3096249c7f 46e51  1234567890abcdef  bd661569ae874e25  4e6f 772069732074 

2  a69e839bla92f 784  f 3096249c7f46e51  cef ba3ef 73f f 92a4  68652074696d6520 

3  03467 133898ea622  a69e839bla92f 784  65290313e8e2ca02  666f 7220616c6c20 
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TABLE  D4 

AN  EXAMPLE  OF  THE  7-BIT  CIPHER  FEEDBACK  ALTERNATIVE  MODE 
The  7-bit  CFB(a)  mode  in  the  encrypt  state  has  been  selected. 

Cryptographic  Key  =  0123456789abcdef 

Initialization  Vector  =  1234567890abcdef 

The  plain  text  is  the  ASCII  code  for  "Now  is  the."  These  seven-bit  characters  are  written 
in  hexadecimal  notation  (0,  b7,  b6,...bl).  The  ®  represents  bit-by-bit,  modulo  2  addition. 


TIME 

DES  INPUT  BLOCK 

DES  OUTPUT  BLOCK 

P 

0 

= 

C 

1 

1234567890abcdef 

bd66l569ae874e25 

4e 

bd 

= 

73 

2 

34567890abcdeff3 

7  039546f 9a0f 6330 

6f 

70 

= 

If 

3 

567890abcdef f 39f 

e86e0d3772221b21 

77 

e8 

= 

If 

4 

7890abcdef f 39f 9f 

cbb91f 82946f 3a68 

20 

$ 

cb 

= 

6b 

5 

90abcdef f 39f 9f eb 

9f af 68acc9dlc4f 9 

69 

9f 

= 

76 

6 

abcdef f 39f 9f ebf 6 

bf 7e7edc468df 70f 

73 

bf 

= 

4c 

7 

cdef f 39f 9f ebf 6cc 

6a555c03e8c20cea 

20 

6a 

= 

4a 

8 

ef f 39 f 9f ebf 6ccca 

d8bb4117448b9e4a 

74 

d8 

= 

2c 

9 

f 39f 9f ebf 6cccaac 

e656f 81f 3f Ia8c28 

68 

e6 

= 

Oe 

10 

9f 9febf  6cccaac8e 

cd!883f e!5bf 7c26 

65 

cd 

= 

28 

The  7-bit  CFB(a)  mode  in  the  decrypt  state  has  been  selected. 


TIME 

DES  INPUT  BLOCK 

DES  OUTPUT  BLOCK 

C 

0 

= 

P 

1 

1234567890abcdef 

bd661569ae87  4e25 

73 

bd 

= 

4e 

2 

3456789 0abcdeff3 

7039546f 9a0f 6330 

If 

70 

= 

6f 

3 

567890abcdef f 39f 

e86e0d3772221b21 

If 

e8 

= 

77 

4 

7890abcdef f 39f 9f 

cbb91f82946f3a68 

6b 

cb 

= 

20 

5 

90abcdef f 39f 9f eb 

9faf68acc9dlc4f9 

76 

9f 

= 

69 

6 

abcdef f 39f 9f ebf 6 

bf7e7edc468df70f 

4c 

bf 

= 

73 

7 

cdef f 39f 9f ebf 6cc 

6a555c03e8c20cea 

4a 

Q 

6a 

= 

20 

8 

ef f 39 f 9f ebf 6ccca 

d8bb4ll744869e4a 

2c 

$ 

d8 

= 

74 

9 

f 39 f 9f ebf 6cccaac 

e656f 81f 3f Ia8c28 

Oe 

& 

e6 

= 

68 

10 

9f 9f ebf 6cccaac8e 

cdl883fe!5bf7c26 

28 

cd 

= 

65 
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TABLE  D5 

AN  EXAMPLE  OF  THE  56-BIT  CIPHER  FEEDBACK  ALTERNATIVE 
The  56-bit  CFB(a)  mode  in  the  encrypt  state  has  been  selected. 


Cryptographic  Key  =  0123456789abcdef 
Initialization  Vector  =  1234567890abcdef 

The  plain  text  is  the  ASCII  code  for  "Now  is  the  time  for  all 
characters  are  written  in  hexadecimal  notation  (0,  b7,  b6,...bl)„ 


TIME 

PLAIN  TEXT 

DES  INPUT 

BLOCK 

DES  OUTPUT 
BLOCK 

1 

4e6f 772069732074 

1234567890abcdef 

bd661569ae874e25 

2 

68652074696d6520 

f 389e2c9c7f 4eedl 

8988dd3d6b71f 76b 

3 

666f 7220616c6c20 

eledf dc9829c92cb 

314a61dll7be7e4d 

The  56-bit  CFB(a)  mode  in  the  decrypt  state  has  been  selected. 

TIME  CIPHER  TEXT  DES  INPUT  BLOCK  DES  OUTPUT  BLOCK 

1  7309624947746e51  1234567890abcdef  bd661569ae874e25 

2  616d7d49021cl24b  f 389e2c9c7f 4eedl  8988dd3d6b71f 76b 

3  572513717652126d  eledfdc9829c92cb  314a61dll7be7e4d 


MODE 


These  seven-bit 


CIPHER  TEXT 


7309624947746e51 
616d7d49021cl24b 
5725137 17 652 126d 


PLAIN  TEXT 
4e6f772069732074 
68652074696d6520 
666f 7220616c6c20 
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APPENDIX  E 


OUTPUT  FEEDBACK  (OFB)  MODE 

The  Output  Feedback  (OFB)  mode  is  an  additive  stream  cipher  in  which  errors  in  the  cipher 
text  are  not  extended  to  cause  additional  errors  in  the  decrypted  plain  text.  One  bit  in 
error  in  the  cipher  text  causes  only  one  bit  to  be  in  error  in  the  decrypted  plain  text. 
Therefore,  this  mode  cannot  be  used  for  data  authentication  but  is  useful  in  applications 
where  a  few  errors  in  the  decrypted  plain  text  are  acceptable. 

In  the  OFB  mode,  the  same  K  bits  of  the  DES  output  block  that  are  used  to  encrypt  a  K-bit 
unit  of  plain  text  are  fed  back  for  the  next  input  block.  This  feedback  is  completely 
independent  of  all  plain  text  and  all  cipher  text.  As  a  result,  there  is  no  error  exten¬ 
sion  in  OFB  mode. 

If  cryptographic  synchronization  is  lost  in  the  OFB  mode,  then  cryptographic  initialization 
must  be  performed.  The  OFB  mode  is  not  a  self-synchronizing  cryptographic  mode. 

Examples  of  1-bit  OFB  and  8-bit  OFB  are  given  in  Tables  El  and  E2 ,  respectively. 


TABLE  El 

AN  EXAMPLE  OF  THE  1-BIT  OUTPUT  FEEDBACK  (OFB)  MODE 


The  1-bit  OFB  mode  in  the  encrypt  state  has  been  selected. 

Cryptographic  Key  =  0123456789abcdef 
Initialization  Vector  =  1234567890abcdef 

The  plain  text  is  the  binary  vector  (010011100110111101110111).  The  9-  represents  bit-by- 
bit,  modulo  2  addition. 


TIME 

DES  INPUT  BLOCK 

DES  OUTPUT  BLOCK 

P 

9 

0 

= 

c 

1 

1234 567 890abcdef 

bd661569ae874e25 

0 

9 

1 

= 

1 

2 

2468acf 121579bdf 

48b3169clfac7al0 

1 

9 

0 

= 

1 

3 

48dl59e242af 37be 

8879ea93c63d77a5 

0 

9 

1 

= 

1 

4 

91a2b3c4855e6f7d 

0d36el6101e86d61 

0 

9 

0 

= 

0 

5 

234567890abcdef a 

e9eab8cf cOOf 4ac3 

1 

9 

1 

= 

0 

6 

468acf 12 1579bdf 5 

9d41640f 97df 7904 

1 

9 

1 

= 

0 

7 

8dl59e242af 37beb 

32f 72f dl899eda45 

1 

9 

0 

= 

1 

8 

Ia2b3c4855e6f7d6 

ca2a095d20f4e769 

0 

9 

1 

= 

1 

9 

34567  890abcdef ad 

de869588355el04 1 

0 

9 

1 

= 

1 

10 

68acf 121579bdf 5b 

11245e6a8720ddce 

1 

9 

0 

= 

1 

11 

dl59e242af 37beb6 

836b0be324094a97 

1 

9 

1 

= 

0 

12 

a2b3c4855e6f7d6d 

c077 14703b296a5a 

0 

9 

1 

= 

1 

13 

4567890abcdef adb 

bf6380eccl96d599 

1 

9 

1 

= 

0 

14 

8acf 12 1579bdf 5b7 

96ed6856969aef 13 

1 

9 

1 

= 

0 

15 

159e242af 37beb6f 

382 3 feaa3d 170085 

1 

9 

0 

= 

1 

16 

2b3c4855e6f 7d6de 

2d57dc0c899d6700 

1 

9 

0 

= 

1 

17 

567890abcdef adbc 

2felc261c0ela302 

0 

9 

0 

= 

0 

18 

acf 121579bdf 5b78 

778ad641faa047d0 

1 

9 

0 

= 

1 

19 

59e242af 37beb6f 0 

f 66ae4359eec3755 

1 

9 

1 

= 

0 

20 

b3c4855e6f 7d6del 

cd0bda27e32al3da 

1 

9 

1 

= 

0 

21 

67890abcdef adbc 3 

9f71f7 4488551801 

0 

9 

1 

= 

1 

22 

cf  121579bdf5b787 

a62e89aa6b85be74 

1 

9 

1 

= 

0 

23 

9e242af 37beb6f Of 

7b0b2elde987b804 

1 

9 

0 

= 

1 

24 

3c4855e6f 7d6dele 

7f41b5ef07  c3ea29 

1 

9 

0 

= 

1 

22 


FIPS  PUB  81 


TABLE  E2 

AN  EXAMPLE  OF  THE  8-BIT  OUTPUT  FEEDBACK  (OFB)  MODE 


The  8-bit  OFB  mode  in  the  encrypt  state  has  been  selected. 
Cryptographic  Key  =  0123456789abcdef 
Initialization  Vector  =  1234567890abcdef 


The  plain  text  is  the  ASCII  code  for  "Now  is  the."  These  seven-bit  characters  are  written 
in  hexadecimal  notation  (0 ,b7 ,b6 , . . . ,bl )  .  The  9-  represents  bit-by-bit,  modulo  2  addition. 


TIME 

DES  INPUT  BLOCK 

DES  OUTPUT  BLOCK 

P 

9 

0 

= 

C 

1 

1234567890abcdef 

bd661569ae874e25 

4e 

9 

bd 

= 

f  3 

2 

34567 890abcdefbd 

25e73b5d4cbd2359 

6f 

9 

25 

= 

4a 

3 

567890abcdef bd25 

5f 9700705 536 23d0 

77 

9 

5f 

= 

28 

4 

7890abcdef bd255f 

704ad48bf 9eec8f a 

20 

9 

70 

= 

50 

5 

90abcdef bd255f 70 

a0bla091bb787553 

69 

9 

aO 

= 

c9 

6 

abcdef bd255f 70a0 

b58127681 139ee7f 

73 

9 

b5 

= 

c6 

7 

cdef bd255f 70a0b5 

694d556ef 5806a65  ' 

20 

9 

69 

= 

49 

8 

ef bd255f 70a0b569 

f 1885324 299 13 2a2 

74 

9 

fl 

= 

85 

9 

bd255f 70a0b569f 1 

be639f f 6d7b74b04 

68 

9 

be 

= 

d6 

10 

255f 70a0b569f lbe 

el7b6ae22b4bad65 

65 

9 

el 

= 

84 

8-bit  OFB  mode  in  the  decrypt  state  has  been  selected. 


TIME 

DES  INPUT  BLOCK 

DES  OUTPUT  BLOCK 

C 

9 

0 

= 

P 

1 

12345 67 890abcdef 

bd661569ae874e25 

f  3 

9 

bd 

= 

4e 

2 

34567 890abcdef bd 

25e73b5d4cbd2359 

4a 

9 

25 

= 

6f 

3 

567890abcdef bd25 

5f 9700705 5362 3d0 

28 

9 

5f 

= 

77 

4 

7890abcdefbd255f 

704ad48bf 9eec8f a 

50 

9 

70 

= 

20 

5 

90abcdef bd255f 70 

a0bla09 lbb787553 

c9 

9 

aO 

= 

69 

6 

abcdefbd255f 70a0 

b58127681139ee7f 

c6 

9 

b5 

= 

73 

7 

cdef bd255f 70a0b5 

694d556ef 5806a65 

49 

9 

69 

= 

20 

8 

ef bd255f 70a0b569 

fl885324299132a2 

85 

9 

fl 

= 

74 

9 

bd255f 70a0b569f 1 

be639f f 6d7b74b04 

d6 

9 

be 

= 

68 

10 

255f 70a0b569f lbe 

el7b6ae22b4bad65 

84 

9 

el 

= 

65 
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APPENDIX  F 

DES  AUTHENTICATION  TECHNIQUE 

The  DES  can  be  used  for  message  (data)  authentication.  A  Message  Authentication  Code  (MAC) 
is  generated  (computed)  as  a  cryptographic  function  of  the  message  (data).  The  MAC  is  then 
stored  or  transmitted  with  the  data.  Only  those  knowing  the  secret  key  can  recompute  the 
MAC  for  the  received  message  and  verify  that  the  message  has  not  been  modified  by  comparing 
the  computed  MAC  with  the  stored  or  transmitted  MAC.  An  unauthorized  recipient  of  the  data 
who  does  not  possess  the  key  cannot  modify  the  data  and  generate  a  new  MAC  to  correspond 
with  the  modified  data.  This  technique  is  useful  in  applications  which  require  maintaining 
data  integrity  but  which  do  not  require  protecting  the  data  from  disclosure.  For  example, 
computer  programs  may  be  stored  in  plain  text  form  with  a  computed  MAC  appended  to  the 
program  file.  The  program  may  be  read  and  executed  without  decryption.  However,  when  the 
integrity  of  the  program  is  questioned,  a  MAC  can  be  computed  on  the  program  file  and 
compared  with  the  one  stored  in  the  file.  If  the  two  MAC's  are  identical  and  the  crypto¬ 
graphic  key  used  to  generate  the  MAC  has  been  protected,  then  the  program  file  has  not  been 
modified. 

A  MAC  may  be  generated  using  either  the  CBC  or  the  CFB  mode.  In  CBC  authentication,  a 
message  is  encrypted  in  the  normal  CBC  manner  but  the  cipher  text  is  discarded.  Messages 
which  terminate  in  partial  data  blocks  must  be  padded  on  the  right  (LSB)  with  zeros.  In 
CBC  authentication,  the  most  significant  M  bits  of  the  final  output  block  are  used  as  the 
MAC,  where  M  is  the  number  of  bits  in  the  MAC. 

In  CFB  authentication,  a  message  is  encrypted  in  the  normal  CFB  manner  except  that  the 
cipher  text  is  discarded.  After  encrypting  the  final  K  bits  of  data  and  feeding  the 
resulting  cipher  text  back  into  the  DES  input  block,  the  DES  device  is  operated  one  more 
time  and  the  most  significant  M  bits  of  the  resulting  DES  output  block  are  used  as  the  MAC. 


In  both  CBC  and  CFB  authentication,  a  MAC  should  be  used  that  is  as  long  as  practical. 
Since  a  MAC  is  an  error  detection  code  (which  is  computed  using  cryptographic  techniques), 
a  long  MAC  is  desirable.  Bit  manipulation  within  a  message  using  a  MAC  of  length  M  will  be 
detectable  with  a  probability  of  1-(1/2TM).  Concluding  that  a  message  has  not  been  modi¬ 
fied  is  based  upon  this  probability.  The  proposed  Federal  Standard  1026  requires  M  to  be 
at  least  24  for  Federal  telecommunication  applications.  Financial  transaction  application 
standards  are  recommending  M  to  be  32.  Application  designers  should  select  M  to  optimize 
security  and  efficiency  requirements. 

In  ADP  communications  security  applications  a  message  numbering  and  verifying  system  should 
be  used  to  protect  against  insertion  of  false  messages,  deletion  of  valid  messages,  and 
replay  of  a  previously  valid  message.  The  combined  use  of  a  unique  Message  Identifier 
(MID)  and  a  MAC  achieves  these  security  objectives  in  addition  to  protecting  the  message 
against  message  modification.  If  the  data  source  MAC  and  the  data  destination  MAC  are  in 
agreement  and  if  the  MID  agrees  with  the  value  expected  by  the  receiver,  then  these  four 
security  objectives  have  been  accomplished.  The  MID  should  be  unique  and  deterministic  for 
each  message  transmitted  between  a  sender  and  receiver.  The  uniqueness  may  be  achieved 
through  the  use  of  a  simple  binary  counter. 

Examples  of  the  MAC  calculation  using  CBC  and  8-bit  CFB  are  given  in  Tables  FI  and  F2 , 
respectively. 
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TABLE  FI 


AN  EXAMPLE  OF  THE  CIPHER  BLOCK  CHAINING  (CBC)  MODE 
FOR  AUTHENTICATION 


The  CBC  mode  in  the  encrypt  state  has  been  selected. 

Cryptographic  Key  =  0123456789abcdef 
Initialization  Vector  =  1234567890abcdef 

The  plain  text  is  the  ASCII  code  for  "7654321  Now  is  the  time  for  These  seven-bit 

characters  are  written  in  hexadecimal  notation  (0 ,b7 ,b6 , . . . ,bl ) . 


TIME  PLAIN  TEXT 


DES  INPUT 
BLOCK 


DES  OUTPUT 
BLOCK 


1  3736353433323120  2502634ca399f ccf  b9916b8ee4c3da64 

2  4e6f 772069732074  f 7f elcae8db0fal0  b4f 44e3cbef b9948 

3  68652074696d6520  dc916e48d796fc68  4521388fa59ae67d 

4  666 f 722000000000  234e4aaf a59ae67d  58d2e77e86062733 


32-bit  MAC  is  selected 


TEXT 


MAC 


37363534333231204e6f 77206873207468652074696d6520666f 722058d2e77e 


/ 


f» 
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TABLE  F2 

AN  EXAMPLE  OF  THE  CIPHER  FEEDBACK  ( CFB)  MODE 
FOR  AUTHENTICATION 

The  8-bit  CFB  mode  in  the  encrypt  state  has  been  selected. 
Cryptographic  Key  =  0123456789abcdef 
Initialization  Vector  =  1234567890abcdef 


TIME 

DES  INPUT  BLOCK 

DES  OUTPUT  BLOCK 

P 

© 

0 

= 

c 

1 

1234567890abcdef 

bd661569ae874e25 

37 

© 

bd 

8a 

2 

34567890abcdef 8a 

bl56f 27e4084b3el 

36 

© 

bl 

= 

87 

3 

567890abcdef8a87 

346594a9f532e7ef 

35 

© 

34 

= 

01 

4 

7890abcdef 8a8701 

ed228c3d0b087e56 

34 

© 

ed 

= 

d9 

5 

90abcdef 8a8701d9 

12fffb7dl0c59f6e 

33 

© 

12 

= 

21 

6 

abcdef 8a8701d92 1 

02de3 1963455 1992 

32 

© 

02 

= 

30 

7 

cdef 8a8701d92130 

be3ee94f5b0d9337 

31 

© 

be 

= 

8f 

8 

ef 8a8701d921308f 

1 5a8855f 3e9908b3 

20 

© 

15 

= 

35 

9 

8a8701d921 308f 35 

3af549c9c870562c 

4e 

© 

3a 

= 

74 

10 

8701d921308f3574 

d2b323ada61cde00 

6f 

© 

d2 

= 

bd 

11 

01d921308f 3574bd 

6977832969dbbeba 

77 

© 

69 

= 

le 

12 

d921308f 3574bdle 

5473999aba6c9813 

20 

© 

54 

= 

74 

13 

2 1308f 3574bd  le74 

9db2dcbl lbcef d56 

69 

© 

9d 

f4 

14 

308f 3574bd le74f 4 

41dd4df de3648513 

73 

© 

41 

= 

32 

15 

8f 3574bdle74f 432 

349del0fld656720 

20 

© 

34 

= 

14 

16 

3574bdle74f43214 

0384e72851495e94 

74 

© 

03 

= 

77 

17 

74bdle74f4321477 

64aeb25d7a54bb91 

68 

© 

64 

= 

Oc 

18 

bdle74f43214770c 

If07839f59391e53 

65 

© 

If 

= 

7a 

19 

Ie74f43214770c7a 

14d3c21640e42157 

20 

© 

14 

= 

34 

20 

74f43214770c7a34 

f b7a853aadb39183 

74 

© 

fb 

= 

8f 

21 

f432 14770c7a348f 

edee83b0a07af cd4 

69 

© 

ed 

= 

84 

22 

3214770c 7a348f 84 

5065694blalb765c 

6d 

© 

50 

= 

3d 

23 

14770c7a348f843d 

68ec7ad3602e91c2 

65 

© 

68 

= 

Od 

24 

770c7a348f 843d0d 

28f 5c32ae7b4495f 

20 

© 

28 

= 

08 

25 

0c7a348f 843d0d08 

523d79cb8d3eb462 

66 

© 

52 

= 

34 

26 

7a348f 843d0d  834 

dd5816fac4470533 

6f 

© 

dd 

= 

b2 

27 

348f 843d0d0834b2 

b61ec60f26c3b29a 

72 

© 

b6 

= 

c4 

28 

8f843d0d0834b2c4 

daca268330988a7d 

20 

© 

da 

= 

fa 

29 

843d0d0834b2c4fa 

cd647403bc90c4c4 

32-bit  MAC  selected. 

TEXT  MAC 

37363534333231204e6f 77206873207468652074696d6520666f 7220cd647403 
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JOURNAL  OF  RESEARCH — The  Journal  of  Research  of  the 
National  Bureau  of  Standards  reports  NBS  research  and  develop¬ 
ment  in  those  disciplines  of  the  physical  and  engineering  sciences  in 
which  the  Bureau  is  active.  These  include  physics,  chemistry, 
engineering,  mathematics,  and  computer  sciences.  Papers  cover  a 
broad  range  of  subjects,  with  major  emphasis  on  measurement 
methodology  and  the  basic  technology  underlying  standardization. 
Also  included  from  time  to  time  are  survey  articles  on  topics 
closely  related  to  the  Bureau's  technical  and  scientific  programs. 
As  a  special  service  to  subscribers  each  issue  contains  complete 
citations  to  all  recent  Bureau  publications  in  both  NBS  and  non- 
NBS  media.  Issued  six  times  a  year.  Annual  subscription:  domestic 
$13;  foreign  SI6.25.  Single  copy.  $3  domestic;  S3. 75  foreign. 
NOTE:  The  Journal  was  formerly  published  in  two  sections:  Sec¬ 
tion  A  “Physics  and  Chemistry”  and  Section  B  “Mathematical 
Sciences.” 

DIMENSIONS/NBS — This  monthly  magazine  is  published  to  in¬ 
form  scientists,  engineers,  business  and  industry  leaders,  teachers, 
students,  and  consumers  of  the  latest  advances  in  science  and 
technology,  with  primary  emphasis  on  work  at  NBS.  The  magazine 
highlights  and  reviews  such  issues  as  energy  research,  fire  protec¬ 
tion,  building  technology,  metric  conversion,  pollution  abatement, 
health  and  safety,  and  consumer  product  performance.  In  addi¬ 
tion,  it  reports  the  results  of  Bureau  programs  in  measurement 
standards  and  techniques,  properties  of  matter  and  materials, 
engineering  standards  and  services,  instrumentation,  and 
automatic  data  processing.  Annual  subscription:  domestic  $11; 
foreign  $13.75. 

NONPERIODICALS 

Monographs — Major  contributions  to  the  technical  literature  on 
various  subjects  related  to  the  Bureau’s  scientific  and  technical  ac¬ 
tivities. 

Handbooks — Recommended  codes  of  engineering  and  industrial 
practice  (including  safety  codes)  developed  in  cooperation  with  in¬ 
terested  industries,  professional  organizations,  and  regulatory 
bodies. 

Special  Publications — Include  proceedings  of  conferences  spon¬ 
sored  by  NBS,  NBS  annual  reports,  and  other  special  publications 
appropriate  to  this  grouping  such  as  wall  charts,  pocket  cards,  and 
bibliographies. 

Applied  Mathematics  Series — Mathematical  tables,  manuals,  and 
studies  of  special  interest  to  physicists,  engineers,  chemists, 
biologists,  mathematicians,  computer  programmers,  and  others 
engaged  in  scientific  and  technical  work. 

National  Standard  Reference  Data  Series — Provides  quantitative 
data  on  the  physical  and  chemical  properties  of  materials,  com¬ 
piled  from  the  world’s  literature  and  critically  evaluated. 
Developed  under  a  worldwide  program  coordinated  by  NBS  under 
the  authority  of  the  National  Standard  Data  Act  (Public  Law 
90-396). 


NOTE:  The  principal  publication  outlet  for  the  foregoing  data  is 
the  Journal  of  Physical  and  Chemical  Reference  Data  (JPCRD) 
published  quarterly  for  NBS  by  the  American  Chemical  Society 
(ACS)  and  the  American  Institute  of  Physics  (AIP).  Subscriptions, 
reprints,  and  supplements  available  from  ACS,  1 155  Sixteenth  St., 
NW,  Washington,  DC  20056. 

Building  Science  Series — Disseminates  technical  information 
developed  at  the  Bureau  on  building  materials,  components, 
systems,  and  whole  structures.  The  series  presents  research  results, 
test  methods,  and  performance  criteria  related  to  the  structural  and 
environmental  functions  and  the  durability  and  safety  charac¬ 
teristics  of  building  elements  and  systems. 

Technical  Notes — Studies  or  reports  which  are  complete  in  them¬ 
selves  but  restrictive  in  their  treatment  of  a  subject.  Analogous  to 
monographs  but  not  so  comprehensive  in  scope  or  definitive  in 
treatment  of  the  subject  area.  Often  serve  as  a  vehicle  for  final 
reports  of  work  performed  at  NBS  under  the  sponsorship  of  other 
government  agencies. 

Voluntary  Product  Standards — Developed  under  procedures 
published  by  the  Department  of  Commerce  in  Part  10,  Title  15,  of 
the  Code  of  Federal  Regulations.  The  standards  establish 
nationally  recognized  requirements  for  products,  and  provide  all 
concerned  interests  with  a  basis  for  common  understanding  of  the 
characteristics  of  the  products.  NBS  administers  this  program  as  a 
supplement  to  the  activities  of  the  private  sector  standardizing 
organizations. 

Consumer  Information  Series — Practical  information,  based  on 
NBS  research  and  experience,  covering  areas  of  interest  to  the  con¬ 
sumer.  Easily  understandable  language  and  illustrations  provide 
useful  background  knowledge  for  shopping  in  today’s  tech¬ 
nological  marketplace. 

Order  the  above  NBS  publications  from:  Superintendent  of  Docu¬ 
ments,  Government  Printing  Office,  Washington.  DC  20402. 

Order  the  following  NBS  publications — FIPS  and  NBSIR’s — from 
the  National  Technical  Information  Services,  Springfield,  VA  22161 . 

Federal  Information  Processing  Standards  Publications  (FIPS 
PUB)  — Publications  in  this  series  collectively  constitute  the 
Federal  Information  Processing  Standards  Register.  The  Register 
serves  as  the  official  source  of  information  in  the  Federal  Govern¬ 
ment  regarding  standards  issued  by  NBS  pursuant  to  the  Federal 
Property  and  Administrative  Services  Act  of  1949  as  amended, 
Public  Law  89-306  (79  Stat.  1127),  and  as  implemented  by  Ex¬ 
ecutive  Order  11717  (38  FR  12315,  dated  May  1 1,  1973)  and  Part  6 
of  Title  15  CFR  (Code  of  Federal  Regulations). 

NBS  Interagency  Reports  (NBSIR) — A  special  series  of  interim  or 
final  reports  on  work  performed  by  NBS  for  outside  sponsors 
(both  government  and  non-government).  In  general,  initial  dis¬ 
tribution  is  handled  by  the  sponsor;  public  distribution  is  by  the 
National  Technical  Information  Services,  Springfield,  VA  22161, 
in  paper  copy  or  microfiche  form. 
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(a)  An  acceptable  alternative  for  7-bit  CFB  that  uses  an  8-bit  feedback  path  while 
enciphering  7-bit  data  units  is  the  7-bit  CFB ( a )  mode  of  operation.  This  alternative 
always  inserts  a  "1"  in  bit  position  one  of  the  8-bit  feedback  path  so  that  the  feed¬ 
back  is  of  the  form  (1  , Cl  ,C2,C3,C4,C5,C6,C7) .  The  cipher  is  represented  as  a  7-bit 
entity  of  the  form  (Cl  ,C2,C3,C4,C5,C6,C7) . 

An  acceptable  alternative  for  8-bit  CFB  when  enciphering  8-bit  data  units  composed 
of  a  non-information  bit  followed  by  a  7-bit  code  (e.g.,  P,b7,b6,b5,b4,b3,b2,bl )  is 
the  8-bit  CFB(a)  mode  of  operation.  This  alternative  is  similar  to  the  8-bit  CFB 
except  that  a  "1"  bit  is  always  inserted  in  bit  oosition  one  of  the  8-bit  feedback 
path  so  that  the  feedback  is  of  the  form  (1  ,C2,C3,C4,C5,C6,C7,C8).  The  cipher 
is  represented  as  an  8-bit  entity  of  the  form  (Cl  ,C2,C3,C4,C5,C6,C7,C8)  or  (0,C2, 
C3,C4,C5,C6,C7 ,C8)  or  (1 ,C2,C3,C4,C5,C6,C7,C8)  or  (P,C2,C3,C4,C5,C6,C7,C8)  where 
P  is  a  cipher  parity  bit. 

(b)  The  7-bit  CFB(a)  mode  is  defined  in  the  standard  in  order  to  encipher  and  decipher 

7- bit  data  units  and  still  use  an  8-bit  feedback  path. 

Most  computer  and  communication  systems  are  designed  to  efficiently  handle  full 

8- bit  bytes.  When  using  7-bit  codes  the  eighth  bit  of  the  byte  is  often  used  as  a 
parity  bit  so  that  the  byte  is  of  the  form  (p,b7,b6,b5,b4,b3,b2,bl ).  These  systems 
often  generate  the  parity  bit  during  transmission  and  check  its  validity  during 
reception.  In  such  systems  the  parity  bit  on  cipher  text  would  be  automatically 
modified  during  transmission.  In  this  case,  the  encryption  and  decryption 
processes  must  operate  independently  of  the  parity  bits  and  the  3-bit  CFB(a) 

mode  should  be  used. 

NOTE:  These  changes  are  provided -to  make  the  specification  of  the  7-bit 
CFEffa)  mode  consistent  with  that  specified  in  a  proposed  American  National 
Standard  for  the  Modes  of  Operation  of  the  Data  Encryption  Algorithm.  The 
8-bit  CFB(a)  mode  and  its  extensions  are  defined  in  FIPS  PUB  31  so  that  they 
may  be  used  in  many  application  standards. 
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